Wednesday, August 24, 2011

A Website that Ranks your Hacks

So you think you can hack?

Some 700 hackers looking to show off their talents have piled into an upstart Web site called RankMyHack.com in the last month. Emerging from the shadowy underground, they have submitted evidence of more than 1,200 Web site hacks, eager to have their feats measured against those of their peers.

The site was created by a hacker nicknamed Solar to bring a little accountability to the online forums and chat rooms where hackers gather to learn tricks of the trade, buy and sell contraband and form alliances. There, eBay-style ratings systems meant to establish reputations are routinely abused, morality tends to be fluid and anonymous young people often talk big while carrying a small stick.

RankMyHack offers a way to separate the skilled from the so-called script kiddies by verifying hacks using codes that participants must plant somewhere on sites they have compromised. As in a video game, RankMyHack awards points, which are based on the popularity of the hacked site and the technical difficulty of the hack. Total scores determine hackers’ ranks on the “leader board of legends.” Players can even challenge one another to duels.

“So have you got what it takes to be the best?” Solar taunts on the site’s home page, which has a distinctively retro design.

Participants can also win “bounties” for hacking racist sites as well as university, military and government sites, an element intended “to focus the abilities of talented hackers against political and government forces.”

In an e-mail interview, Solar, who declined to disclose his name or age, said he was a computer-science student in Britain and aspired to a career in computer security. He acknowledged hacking illegally “in the past” to develop his skills, but said he had never engaged in criminal acts like fraud.

As of Sunday, the top break-in on the site was said to be a hack of The Huffington Post, worth nearly 1.7 million points and claimed by Mudkip, who is also the site’s top-ranked hacker. The second-biggest hack, worth 1.5 million points, was said to be on Google, by Blackfan.

The Huffington Post did not respond to requests for comment. Google said Blackfan had told it about a minor bug in the mobile version of Google.com as part of its program to reward security researchers for finding and disclosing vulnerabilities. The flaw poses no risk to users, Google said.

Hackers like Mudkip and Blackfan can use a RankMyHack banner to display their stats on other Web sites, including hacker forums.

But the banners can also help crime groups find talented and willing recruits, warned Rob Rachwald, director of security strategy at Imperva, a security company. “If you like blood on your hands, this shows you’re willing to do the dirty work.”

And RankMyHack could be useful to the authorities. “The ability to verify that a person compromised a system is a law enforcement person’s dream,” said Holt Sorenson, a security specialist who helps run the Capture the Flag competition at the annual Def Con hacker conference in Las Vegas.

RankMyHack seems to take a page from competitions like Capture the Flag that attract some of the world’s most skilled hackers. In that game, competing teams defend their computers from attack while trying to steal a piece of data from or plant data on another team’s computer. Organizers verify hacks and declare winners.

At Def Con, no real damage is done and a strong performance can cement a reputation — and attract job offers. But RankMyHack, which celebrates and some say incites illegal hacking, could hurt Solar’s prospects for a career path that requires trust.

Solar argued that the hacks would occur regardless, and that the site was positive because hackers did not need to do damage to prove they had infiltrated a site.

He said security companies should be impressed that, “secured to the teeth” and attacked a hundred times a day, RankMyHack itself was still standing.